GAO Report: CMS Needs to Improve Fraud Risk Efforts

The Centers for Medicare and Medicaid Services (CMS) need to more fully align its antifraud efforts with the Government Accountability Office’s (GAO) Fraud Risk Framework, GAO auditors said in a report released Dec. 5. CMS’s anti-fraud programs currently align only partially with the risk framework, GAO’s investigation revealed.

According to the report, CMS’s overall approach to managing fraud risks across its four principal programs is incorporated into a broader program administered through its Center for Program Integrity (CPI). While CMS has shown “commitment to combating fraud” by establishing CPI to lead its antifraud efforts, it has not conducted a fraud-risk assessment for Medicare or Medicaid and has not implemented risk-based antifraud strategies, such as those recommended in GAO’s Fraud Risk Framework.

The Fraud Risk Framework was published in July 2015 to help Federal managers combat fraud and preserve integrity in government agencies and programs. GAO identified leading practices for managing fraud risks and organized them into a conceptual framework that encompasses control activities to prevent, detect, and respond to fraud. It includes an emphasis on prevention, as well as on structures and environmental factors that help managers mitigate fraud risks. In addition, the framework highlights the importance of monitoring and incorporating feedback.

“A fraud-risk assessment allows managers to fully consider fraud risks to their programs, analyze their likelihood and impact and prioritize risks,” GAO said. “Managers can then design and implement a strategy with specific control activities to mitigate these risks.”

In their latest report, GAO auditors said that within its program-integrity activities, CMS has established several control procedures that are specific to managing fraud risks, while others serve broader program-integrity purposes.

According to CMS officials, the agency’s antifraud controls mainly focus on providers working within Medicare fee for service (FFS) activities. CMS officials told GAO that when CPI began operating, its primary focus was developing program integrity for Medicare FFS. As a result, it’s the most “mature” of all their programs.

CMS’s fraud control activities use the Fraud Prevention System (FPS), a predictive-analytics technology system that helps identify potentially fraudulent payments in Medicare. The analytics system has proved to be effective, according to GAO.

In an August 2017 report on the Fraud Prevention System, GAO said that investigations supported by FPS led to corrective actions against providers and generated savings. For example, in fiscal year 2016, CMS reported that 90 providers had their payments suspended because of investigations supported by FPS, which resulted in an estimated $6.7 million in savings. In fiscal year 2016, 22 percent of Medicare fraud investigations conducted by CMS program integrity contractors were based on leads generated by FPS analysis of Medicare claims data. CMS reported that FPS edits denied nearly 324,000 claims and saved more than $20.4 million in 2016.

Officials representing Medicare’s program-integrity contractors told GAO that FPS helps speed up certain investigation processes, such as identifying suspect providers for investigation. However, the officials said that once an investigation is initiated, FPS has generally not sped up the process for investigating and gathering evidence against suspect providers.

The Dec. 5 report also found shortcomings in CMS antifraud training programs. While CMS requires antifraud training for stakeholder groups such as providers, beneficiaries, and health-insurance plans, it doesn’t offer or require fraud-awareness training on a regular basis for its employees, a practice that the Fraud Risk Framework identifies as “a way that agencies can help create a culture of integrity and compliance,” GAO said.

To help CMS improve its antifraud programs, GAO recommended that CMS should:

Require new hires to undergo fraud risk training, with follow-up training for all employees.

Conduct fraud risk assessments for Medicare and Medicaid to include respective fraud risk profiles and plans for regularly updating the assessments and profiles.

Use the results of the fraud risk assessments for Medicare and Medicaid to create, document, implement, and communicate an antifraud strategy that is aligned with and responsive to regularly assessed fraud risks.